Nginx file injection prevention and SQL injection security settings

The nginx configuration file is a script program that can help you filter all the submitted content you want to filter. I have summarized some anti-injection scanning rules for nginx and hope to be useful to you:

The configuration file can prevent SQL and file injection to some extent, and is placed in the server block of the configuration file.

Prevents SQL injection scanning

The code is as follows:

Copy code

If ($ request_uri ~ * "([+ | (% 20)] and [+ | (% 20)]) | ([+ | (% 20)] or [+ | (% 20)]) | ([+ | (% 20)] select [+ | (% 20)]) | ([+ | (% 20)] exec [+ | (% 20)]) | ([+ | (% 20)] union [+ | (% 20)]) ") { Return 404; } If ($ request_uri ~ * "(Cost () | (concat ()"){ Return 404; } If ($ query_string ~ "(& Lt; | % 3C). * script. * (& gt; | % 3E )"){ Return 404; } If ($ query_string ~ "GLOBALS (= | [| % [0-9A-Z] {0, 2 })"){ Return 404; } If ($ query_string ~ "_ REQUEST (= | [| % [0-9A-Z] {0, 2 })"){ Return 404; } If ($ query_string ~ "Proc/self/environ "){ Return 404; } If ($ query_string ~ "MosConfig _ [a-zA-Z _] {1, 21} (= | % 3D )"){ Return 404; } If ($ query_string ~ "Base64 _ (en | de) code (.*)"){ Return 404; } If ($ http_user_agent ~ "Python-urllib "){ Return 404; }

In the program, you can also change the return 404 to your own response mode or response page. Scare the tester ~

Nginx file Injection Prevention

The code is as follows:

Copy code

Server { [...]   # Block SQL injections Set $ block_ SQL _injections 0; If ($ query_string ~ "Union. * select .*("){ Set $ block_ SQL _injections 1;     } If ($ query_string ~ "Union. * all. * select .*"){ Set $ block_ SQL _injections 1;     } If ($ query_string ~ "Concat .*("){ Set $ block_ SQL _injections 1;     } If ($ block_ SQL _injections = 1 ){ Return 403;     }   # Block file injections Set $ block_file_injections 0; If ($ query_string ~ "[A-zA-Z0-9 _] = http ://"){ Set $ block_file_injections 1;     } If ($ query_string ~ "[A-zA-Z0-9 _] = (..//?) + "){ Set $ block_file_injections 1;     } If ($ query_string ~ "[A-zA-Z0-9 _] =/([a-z0-9 _.] //?) + "){ Set $ block_file_injections 1;     } If ($ block_file_injections = 1 ){ Return 403;     }   # Block common exploits Set $ block_common_exploits 0; If ($ query_string ~ "(<| % 3C). * script. * (> | % 3E )"){ Set $ block_common_exploits 1;     } If ($ query_string ~ "GLOBALS (= | [| % [0-9A-Z] {0, 2 })"){ Set $ block_common_exploits 1;     } If ($ query_string ~ "_ REQUEST (= | [| % [0-9A-Z] {0, 2 })"){ Set $ block_common_exploits 1;     } If ($ query_string ~ "Proc/self/environ "){ Set $ block_common_exploits 1;     } If ($ query_string ~ "MosConfig _ [a-zA-Z _] {1, 21} (= | % 3D )"){ Set $ block_common_exploits 1;     } If ($ query_string ~ "Base64 _ (en | de) code (.*)"){ Set $ block_common_exploits 1;     } If ($ block_common_exploits = 1 ){ Return 403;     }   # Block spam Set $ block_spam 0; If ($ query_string ~ "B (ultram | unicauca | valium | viagra | vicodin | xanax | ypxaieo) B "){ Set $ block_spam 1;     } If ($ query_string ~ "B (erections | hoodia | huronriveracres | impotence | levitra | libido) B "){ Set $ block_spam 1;     } If ($ query_string ~ "B (ambien | bluespill | cialis | cocaine | ejaculation | erectile) B "){ Set $ block_spam 1;     } If ($ query_string ~ "B (lipitor | phentermin | pro [sz] ac | sandyauer | tramadol | troyhamby) B "){ Set $ block_spam 1;     } If ($ block_spam = 1 ){ Return 403;     }   # Block user agents Set $ block_user_agents 0;   # Don't disable wget if you need it to run cron jobs! # If ($ http_user_agent ~ "Wget "){ # Set $ block_user_agents 1; #}   # Disable Akeeba Remote Control 2.5 and earlier If ($ http_user_agent ~ "Indy Library "){ Set $ block_user_agents 1;     }   # Common bandwidth hoggers and hacking tools. If ($ http_user_agent ~ "Libwww-perl "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "GetRight "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "GetWeb! "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "Go! Zilla "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "Download Demon "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "Go-Ahead-Got-It "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "TurnitinBot "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "GrabNet "){ Set $ block_user_agents 1;     }   If ($ block_user_agents = 1 ){ Return 403;     } }

Note: If your application is a high-level management background, such as phpmyadmin, this rule will make some functions of these programs unavailable, because these program parameters contain SQL statements.